Security teams relying on CVSS scores to prioritize patches may be underestimating the risk of a newly disclosed Microsoft Word vulnerability. Microsoft describes CVE-2026-45643 as a “Microsoft Word Remote Code Execution Vulnerability,” yet the CVSS vector string assigns an attack vector of Local (AV:L). This discrepancy between labeling and scoring can create confusion in vulnerability management programs, leading to delayed patching and increased exposure.

The Anatomy of a Mislabeled Threat

CVE-2026-45643 exists in Microsoft Word and allows code execution when a user opens a specially crafted file. The Common Vulnerability Scoring System (CVSS) evaluates this vulnerability with a base score of 7.8, classifying it as High severity. However, because the attack vector is Local, many automated tools filter it below remotely exploitable flaws with network vectors (AV:N). This is where the danger hides.

Microsoft’s security team uses the term “remote code execution” (RCE) to indicate that the attacker can operate from a distant location—often via email or a malicious website delivering the payload. CVSS, on the other hand, defines the attack vector based on the immediate technical method: since the exploit requires the user to open a file, the attack is considered local. Both perspectives are technically correct, but they serve different purposes. Microsoft’s language focuses on the attacker’s position, while CVSS describes the attack’s entry point.

CVSS Attack Vector: Local vs. Network

The CVSS v3.1 specification defines Attack Vector (AV) as “the context by which vulnerability exploitation is possible.” The two most common values are Network (AV:N) and Local (AV:L). A network vector means the vulnerability can be exploited over a network without any user interaction—think of a wormable flaw like EternalBlue. A local vector, however, requires the attacker to have local access to the system or rely on user interaction to trigger the exploit.

For CVE-2026-45643, the AV:L designation indicates that the attacker cannot simply send a network packet to compromise the machine; instead, a user must open a malicious document. This is the classic pattern for most Office-based attacks. Yet, labeling it “local” can be misleading because the initial delivery of the malicious file almost always happens remotely—via email attachments, shared links, or compromised websites.

The Real-World Risk: How Attackers Exploit “Local” RCEs

History shows that “local” attack vectors in Office applications are among the most widely exploited. Notable campaigns like Emotet, TrickBot, and the recent Follina outage (CVE-2022-30190) all required user interaction but still caused massive global damage. Attackers skillfully craft phishing lures that convince recipients to open a document, bypassing the local vector limitation.

In the case of CVE-2026-45643, successful exploitation grants the attacker the ability to run arbitrary code with the privileges of the logged-in user. If that user holds administrative rights, the attacker can install programs, view data, or create new accounts. Even without admin rights, initial access often serves as a beachhead for further lateral movement.

Enterprises that rely solely on CVSS base scores to triage vulnerabilities may deprioritize CVE-2026-45643 because its 7.8 score is lower than many Internet-facing remote code execution flaws. Yet, the actual exposure in environments with email gateways, file-sharing platforms, and web-based collaboration tools is significantly higher than the score suggests.

The Labeling Gap: Microsoft’s Descriptor vs. CVSS Metrics

Microsoft’s Security Response Center (MSRC) often uses intuitive descriptions that reflect the attacker’s vantage point. They will label an issue “Remote Code Execution” if an attacker can initiate the attack from a remote location, regardless of whether user interaction is required. This approach makes the threat easier for administrators to understand at a glance. In contrast, CVSS decouples the attacker’s location from the attack mechanism, focusing purely on the technical exploit path.

The result is a perception gap. A vulnerability labeled “Microsoft Word Remote Code Execution” sounds urgent, but seeing “AV:L” in the CVSS string can cause a security analyst to set a lower priority. Automated risk scoring platforms that ingest CVSS data may flag it as a medium severity task, delaying patch deployment.

Comparing CVSS Scores for Office Vulnerabilities

CVE ID CVSS Score Attack Vector Microsoft Descriptor
CVE-2026-45643 7.8 High Local (AV:L) Remote Code Execution
CVE-2023-21716 (Typical) 7.8 High Local (AV:L) Remote Code Execution
CVE-2017-0199 7.1 High Network (AV:N) Remote Code Execution

Table note: CVE-2017-0199 had a true network vector because it exploited Microsoft Office’s Remote Content Loading feature without user interaction, making it more severe. The CVSS scores accurately reflect the difference, but the Microsoft descriptors do not.

Enterprise Risk Management: Beyond the Base Score

Effective vulnerability management requires more than sorting by CVSS base score. Organizations should consider:

  • Attack Complexity (AC): Low complexity means the attack is easy to replicate. CVE-2026-45643 has AC:L, meaning no special conditions are required once the document is opened.
  • User Interaction (UI): Required user interaction (UI:R) reduces the network attack surface but does not lessen the risk when considering social engineering.
  • Privileges Required (PR): For Word vulnerabilities, code execution typically runs with user privileges. Low privilege requirements increase the impact.
  • Scope (S): Unchanged scope means the vulnerability does not affect resources beyond its security authority, but for desktop applications, this is standard.

A more accurate risk picture emerges by overlaying the exploit’s delivery vector with the CVSS score. Since email remains the number one delivery method for malware, any Office vulnerability with low attack complexity and required user interaction should be treated as a high-priority patch—regardless of the CVSS attack vector categorization.

Threat Intelligence Context

Threat actors quickly weaponize publicly disclosed Office vulnerabilities. Proof-of-concept code often appears within days, and the long tail of unpatched systems becomes a prime target. With CVE-2026-45643, even though official details are still emerging, the pattern suggests that attack code could surface imminently. Enterprises should monitor their email security posture, disable macros by default, and deploy Microsoft’s patch as soon as it is available.

Practical Mitigation Strategies

While waiting for or applying the patch, organizations can reduce exposure:

  • Enable Protected View: Microsoft Office applications open files from the internet in read-only mode by default. Ensure this feature is not disabled.
  • Disable Macros Without Notification: Set group policies to block macros from running in Office documents from untrusted sources.
  • Use Application Guard for Office: Isolate untrusted files in a virtualized container so that exploitation cannot compromise the host.
  • Educate Users: Train employees to recognize phishing attempts and avoid opening attachments from unknown senders.
  • Segment Networks: Limit the blast radius by restricting outbound network connections from user workstations to only necessary services.

These measures are not specific to CVE-2026-45643 but apply universally to the class of Office-based attacks. They can drastically reduce the likelihood of successful exploitation even before a patch is deployed.

The Patch: Timing and Deployment

Microsoft typically releases security updates on the second Tuesday of each month. For critical vulnerabilities like CVE-2026-45643, an out-of-band patch is possible if active exploitation is detected. As of this writing, no active exploits have been reported, but the risk remains. Security teams should expect the patch to appear in the next regularly scheduled update cycle and plan to expedite its deployment to all endpoints running Microsoft Word.

Detection and Response

Until patched, detection of exploitation attempts is crucial. Endpoint detection and response (EDR) tools can monitor for suspicious process creation from winword.exe or abnormal file writes. Indicators of compromise might include:

  • Word spawning unexpected child processes like cmd.exe or powershell.exe.
  • Writing executable content to startup folders or temp directories.
  • Network connections to known malicious domains initiated by Office applications.

Security operations centers (SOCs) should update their detection rules to flag such behaviors and run threat-hunting exercises across endpoints.

Industry Implications: A Call for Clarity

The confusion between “remote” and “local” in vulnerability descriptions highlights a broader need for standardized communication. While CVSS is the de facto scoring standard, its vector values can obscure the true risk of client-side exploits. Some experts have proposed an additional risk dimension—delivery vector—that could accompany the CVSS score to give defenders a clearer view. Until then, manual review of vendor advisories remains essential.

Microsoft’s continued use of “Remote Code Execution” for local-vector vulnerabilities may be deliberate: it signals that the flaw can be triggered by content from an external source. For Windows administrators, this is a call to not treat all “AV:L” issues equally. A Word vulnerability with user interaction is far more dangerous than a privilege escalation that requires an attacker to already have a foothold.

Conclusion

CVE-2026-45643 exemplifies the gap between technical scoring and practical threat assessment. While CVSS provides a repeatable and quantitative measure, it can inadvertently mislead when taken out of context. For enterprise security teams, the lesson is clear: do not let a “Local” attack vector fool you into complacency. If an attacker can send an email, the vulnerability is functionally remote. Patch promptly, layer defenses, and train your users. The next phishing campaign may already be weaponizing this flaw.